MonkeHacks #24

First of all - apologies for the delayed issue! I had a really, really busy week. I worked on some tooling, hacked a bit, but mostly I just hosted my friends, who were visiting Scotland. I’ll churn out another issue on Monday as usual, and do my best to pad it out with good content.

100-Hour Challenge Updates

Here are this week’s statistics:

Into the final stretch! 6 hours left, and then I’ll try to write about everything. What I did, what I found, and what I would change. I would highly recommend that anyone interested in bug bounty as a career should take on this type of challenge.

Weekly Ideas / Notes 

• I wrote my own tooling for client-side hacking. I won’t be releasing this, but it’s quite powerful and has helped me quite a bit already. It’s a piece towards my ideal methodology.

• I bought a TV from a large chain locally. I got a sweet discount on it because it was the model on display, but when it was delivered to me… the store was still signed into the store account! Crazy. Now my TV goes into demo mode if I leave it for a few minutes, which is pretty funny to me.

• Defcon is coming up! I’m not going to Las Vegas this year - I did not get any LHE invites, so I don’t really have a reason to go, especially when it’s all coming out of pocket (I also don’t think my stats were good enough to be invited, so I’m not too bummed about it). I will probably log off Twitter for a while to avoid the FOMO, though.

• Continuing that train of thought, I’ll be doing a social media detox soon. I’ve found that disconnecting helps me with coming up with original ideas for research and/or bugs.

• Here’s a technical tip from some reading I did in the past week: just as a sandboxed iframe has window.origin = null, a srcdoc has window.location.origin = null. This can be useful in very specific situations.

• I was reading Joaxcar’s blog post on the Navigation API when something he said caught my eye: Another less talked about feature of the same API is the navigation.entries() method. This method allows developers to access a list of history entries for the current window session. And then: I feel like there is an opportunity here to leverage the history entries in combination with an XSS for information leakage when other impact avenues are missing.

  • I absolutely agree with him. Because you can access navigation.entries() via the Window object, this is a VERY nice bit of data to have access to. Consider, for example, that you have a useless XSS somewhere on Origin A. You could use this XSS to access other iframes or window references, and retrieve the complete history via .entries()!

  • For a more practical example: let’s suppose that there’s a page that redirects if a valid code is generated but the OAuth flow contains errors. We can’t access the code directly, as it redirects immediately. If this page was in an iframe or accessible via window reference, and you had an XSS on a different page that had a reference to the redirecting page - you could use .entries() to retrieve the OAuth code! Super super fun.

• Nobody told me that client-side hacking is this addictive. Send help.

Resources

• Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit: Ryotak’s research that expands upon the idea of the single-packet attack. I’m not one to exaggerate things - so believe me when I say that Ryotak is a generational talent in the hacking scene.

• Doing Bug Bounty Full-Time: My good friend Hakupiku writes about his full-time BB experience and has some (honestly pretty valid) criticisms about Intigriti. You may remember that Hako and I hung out in Copenhagen two weeks ago.